Mozilla Foundation Security Advisory 2009-22

Firefox allows Refresh header to redirect to javascript: URIs

Announced

April 21, 2009

Reporter

Michael

Impact

Moderate

Products

Firefox

Fixed in

Firefox 3.0.9

Description

Mozilla community member Michael reported that
when a server responds with a Refresh header containing a
javascript: URI, Firefox will redirect to the javascript: URI. If an
attacker could inject a Refresh header into a server
response, or could control the value that a site places in
the Refresh header, they could use this vulnerability to
perform an XSS attack and execute arbitrary JavaScript within the
context of that site.